Sudo Project Sudo vulnerabilities
48 known vulnerabilities affecting sudo_project/sudo.
Total CVEs
48
CISA KEV
2
actively exploited
Public exploits
13
Exploited in wild
4
Severity breakdown
HIGH26MEDIUM17LOW5
Vulnerabilities
Page 3 of 3
CVE-2005-2959P4MEDIUMCVSS 4.6≥ 0, < 1.6.8p9-32005-10-25
CVE-2005-2959 [MEDIUM] CVE-2005-2959: Incomplete blacklist vulnerability in sudo 1
Incomplete blacklist vulnerability in sudo 1.6.8 and earlier allows local users to gain privileges via the (1) SHELLOPTS and (2) PS4 environment variables before executing a bash script on behalf of another user, which are not cleared even though other variables are.
osv
CVE-2013-2776P4MEDIUMCVSS 4.4≥ 0, < 1.8.5p2-1+nmu12013-04-08
CVE-2013-2776 [MEDIUM] CVE-2013-2776: sudo 1
sudo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on systems without /proc or the sysctl function with the tty_tickets option enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely
osv
CVE-2013-1776P4MEDIUMCVSS 4.4≥ 0, < 1.8.5p2-1+nmu12013-04-08
CVE-2013-1776 [MEDIUM] CVE-2013-1776: sudo 1
sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-201
osv
CVE-2013-2777P4MEDIUMCVSS 4.4≥ 0, < 1.8.5p2-1+nmu12013-04-08
CVE-2013-2777 [MEDIUM] CVE-2013-2777: sudo before 1
sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling terminal device and connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-relate
osv
CVE-2005-1993P4LOWCVSS 3.7≥ 0, < 1.6.8p9-12005-06-20
CVE-2005-1993 [LOW] CVE-2005-1993: Race condition in sudo 1
Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.
osv
CVE-2021-23239P4LOWCVSS 2.5fixed in 1.8.32≥ 1.9.0, < 1.9.52021-01-12
CVE-2021-23239 [LOW] CWE-59 CVE-2021-23239: The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitra
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.
nvdosv
CVE-2014-9680P4LOWCVSS 3.3≤ 1.8.112017-04-24
CVE-2014-9680 [LOW] CWE-200 CVE-2014-9680: sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo fi
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives
nvdosv
CVE-2008-3067P4LOWCVSS 2.1≥ 0, < 1.6.9p12-12008-07-07
CVE-2008-3067 [LOW] CVE-2008-3067: sudo in SUSE openSUSE 10
sudo in SUSE openSUSE 10.3 does not clear the stdin buffer when password entry times out, which might allow local users to obtain a password by reading stdin from the parent process after a sudo child process exits.
osv
← Previous3 / 3